Check your iPhone, iPad apps: Malware gets into the App Store

One of the benefits to Apple’s iOS ecosystem is that the company tightly controls what apps are allowed in its App Store. This ensures that programs designed to run on iPhones and iPads meet standards for quality and, most importantly, safety. Because of this curated approach, malicious software hasn’t been an issue for iOS . . . until now.

The New York Times reports that Apple confirmed Sunday that some developers had created apps using a compromised version of its software used to craft programs. Hackers had placed a malware-laced version of Xcode onto Chinese servers, and some developers had downloaded and used it. The malware has been dubbed XcodeGhost.

Most of the apps created with this bogus version of Xcode are aimed at the Chinese market, but some titles used worldwide were affected, including the popular messaging app WeChat and the venerable compression app WinZip. The poisoned version of Xcode and the apps it created were detailed by Palo Alto Networks, a network security firm. They published a list of the apps known to be compromised here.

Among them is CamCard, used to scan business cards and convert that data into contact listings. It turns out I had a copy of that app on my iPhone. Needless to say, I removed it immediately.

So what does an app infected with XcodeGhost do? According to Palo Alto Networks, it can trick users into giving up critical information, among other things:

. . . In summary, the malicious code that XcodeGhost embedded into infected iOS apps is capable of receiving commands from the attacker through the C2 server to perform the following actions:

Prompt a fake alert dialog to phish user credentials;

Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps;

Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

That first one is particularly nefarious. Because the alert dialog requesting credentials comes from inside an authorized app, users would be apt to trust it and enter passwords and other sensitive data without hesitation.

Apple told the Times that it has removed the known compromised apps from its store and is working with developers to get legitimate copies of Xcode, which can be used to rebuild safe versions. Apple itself has not released a list of compromised apps, but I’d recommend you check the Palo Alto Networks list and remove any apps from your devices that you see there.